Principal Drift: The Missing Identity Layer in Enterprise Agent Architectures

The architecture diagrams have been reliably impressive. There are boxes for the MCP gateway, the tool registry, the vector store, the orchestrator, the policy engine, and the observability stack. There are arrows showing how agents discover each other, share context, and call tools across the mesh. By 2026 standards, these are the table-stakes pictures for any serious agentic deployment. But what none of them show anywhere is the principal.

When an agent calls a tool, who is it calling as? The human who initiated the conversation? The agent itself? Some composite identity that blends both? The answer, in most deployments I've seen, is 'it depends' — which is a terrifying answer for any security or compliance officer.

Principal drift is what happens when an agent starts an operation acting as User A, but somewhere in the chain of tool calls, context switches, or sub-agent invocations, it ends up acting as User B — or worse, as a system account with no human accountability at all.

The industry is spending billions on making agents smarter, faster, and more autonomous. But we're spending almost nothing on making them accountable. That's a recipe for a catastrophe that will set the field back years.

Every tool call, every data access, every decision needs to carry an unforgeable identity token that can be traced back to a specific principal. This isn't just good practice — it's the only way to build systems that can be audited, governed, and trusted at scale.